Des Browne: On 21 January 2008, Official Report, columns 1225-37 and 7 February 2008, Official Report, column 78WS, I informed the House about the theft of laptop computers containing a database with personal records relating to individuals who had expressed interest in joining the armed forces, and that I had invited Sir Edmund Burton to conduct a full investigation into the circumstances that led to the MOD's loss of this personal data; the effectiveness of the immediate measures we introduced to prevent any recurrence; and the adequacy of the Department's policy, practice and management arrangements for the protection of personal data more generally.
	Sir Edmund has reported, and I have placed a copy of his report in the Library of the House and published it on the Department's website at: www.mod.uk. I am very grateful for the effort that Sir Edmund and his team have put into this review. The report is in two parts with an executive summary. Part one sets out the events leading up to the loss of data on 9 January 2008, covering the relevant issues surrounding the Training Administration and Financial Management Information System (TAFMIS) and the attendant policies and procedures. Part two considers the broader MOD approach to personal data protection, drawing on the emerging findings of the Cabinet Office Review of Data Handling Procedure in Government, whose final report is also being published today. Further detail and a summary of Sir Edmund's 51 recommendations are given in the annexes to the report. These have been published in full, although the names of those consulted have been redacted.
	I accept all 51 of Sir Edmund's recommendations, and I am determined that we should learn the wider lessons to be drawn from this incident. At the direction of the Defence board, an action plan has been prepared to implement the recommendations, and this is being published today also. The senior management of the MOD, in the form of the Defence board, accepts that it has ultimate responsibility for the effectiveness of the Department's information management and assurance, and will supervise the implementation of the action plan.
	The action plan has been shown to Sir Edmund, who has indicated that it has his support and is in his view capable of delivering the improvements in practice which his report concludes are necessary. Sir Edmund's report, and the action plan including the immediate steps we have taken to bring the TAFMIS system into compliance with the Data Protection Act have also been shared with the Information Commissioner; we will keep his office appraised of progress.
	On the TAFMIS recruitment system, Sir Edmund's report has set out, to the extent that he has been able to establish the facts, the sequence of events that led to the Royal Navy and Royal Air Force version of the system being unencrypted. This confirms that efforts were made to encrypt the system through an encryption upgrade, and that this was successful for most of the system. However, in August 2006 the encryption on the 55 TAFMIS laptops containing the Royal Navy/Royal Air Force recruit database was reported not to be working as expected. Despite examining all the available papers and interviewing relevant personnel from the Army Recruiting and Training Division (ARTD), who manage the contract for the system on behalf of all three armed services, and the system provider, EDS, Sir Edmund has been unable to find an explanation of why encryption of these 55 was not pursued by another means, and those using the system came to believe that it was encrypted when it was not. His main conclusions are that aspects of the TAFMIS project were poorly managed both by the ARTD's internal project manager and EDS; that for periods in 2006 and 2007 the laptops in question were being used in breach of MOD laptop encryption security policy; and that in certain key respects, detailed in the report, the TAFMIS system is still in breach of data protection regulations. His findings have confirmed my own suspicion that there was no robust business reason for so much personal data to be carried around by recruiting officers on their laptops. Action is already in hand to remedy this position.
	After studying the report, the Chief of the General Staff has ordered an inquiry to investigate whether there are grounds to pursue either disciplinary or administrative action in respect of the management of the contract between the Army and EDS.
	On the more general aspects of his review, Sir Edmund finds that departmental policies and procedures generally are fit for purpose and he gives some examples of good practice by the Department (the role of the MOD's senior information risk owner; the emergency measures introduced after the loss which have been effective in preventing similar damaging losses; the network of data protection officers; and the good security data protection and information risk management procedures of the organisations within the Department for whom handling of large volumes of personal data is core business); but he is highly critical of the Department's general treatment in practice of information, knowledge and data as key operational and business assets, and of low levels of awareness of the threats to information and of the requirements of data protection legislation. Therefore, his recommendations focus on training and steps to raise awareness and compliance, and to raise the profile of the issue within our various management boards.
	Sir Edmund's investigation and other internal inquiries have established more of the facts than were available when I made my statement to the House on 21 January. Of the 600,000 recruits or potential recruits who were in the TAFMIS data base, about 1,000 dated back to 1977. In a substantial proportion of cases, the records included more limited information about next of kin and contact details for referees.
	We have also established that, in addition to the three stolen TAFMIS laptop computers referred to in the statement, a further two laptops similar to those stolen in January 2008 and October 2006 were stolen from cars: a Royal Navy laptop in Bristol in August 2004 and a Royal Air Force laptop in Leeds in July 2006. In both cases the laptops were believed at the time to have been encrypted and Ministers were not informed of the losses. The personal data held on these laptops were a subset of that held on the laptop stolen on 9 January 2008 and so does not affect anyone not already affected by that incident.
	Following the theft of the laptop on 9 January, the Department conducted a full internal investigation into the details of computer and other electronic storage media lost or stolen since 2003 when mandatory reporting of such incidents was introduced. This investigation has now been completed and the collated data was provided to Sir Edmund Burton as part of his review. He has summarised key elements of the data in his report.
	Prior to 2003 the reporting of lost and stolen laptops was not centrally collated and it has been found that the figures for the period 1995 to 2002 may be incomplete and therefore unreliable. As the details of incidents for this period are no longer available it is not possible to provide updated figures.
	In conclusion, I reiterate my deep regret over both the losses of personal data and the systemic weaknesses within parts of the MOD that led to this situation. As the Cabinet Office report also published today highlights, these reflect challenges faced by all parts of Government but that does not make them any more acceptable. Both I and senior MOD management are determined to act quickly and decisively on Sir Edmund's recommendations and bring about an early significant improvement in practice within the Department in this important area.